HPE Community
Operating System - HP-UX
1752292 Members
4432 Online
108786 Solutions
New Discussion юеВ

Re: suid on directory does not change ownership to that of owner of directory ??

 
SOLVED
Go to solution
Sammy_2
Super Advisor

тАО10-20-2008 09:17 AM

тАО10-20-2008 09:17 AM

suid on directory does not change ownership to that of owner of directory ??

HPUX 11.11

# ls -ld /app/test
drwsrwsr-x 2 subir01 eteam 1024 Oct 20 11:58 /app/test

If user "clyde18" touches file in above dir, I was expecting the owner to be subir01 (according to SUID set on directory) . Why is OS setting owner to that of the userid who touched file.
$ id
uid=12216(clyde18) gid=206(eteam)
$ touch /app/test/myperms

$ ls -ld /app/test/myperms
-rw-rw---- 1 clyde18 eteam 0 Oct 20 12:11 /app/test/myperms


Thanks for help in advance.




good judgement comes from experience and experience comes from bad judgement.
0 Kudos
Reply
7 REPLIES 7
jerry1
Super Advisor

тАО10-20-2008 09:30 AM

тАО10-20-2008 09:30 AM

Solution

Re: suid on directory does not change ownership to that of owner of directory ??

Because that is the behavior now.
Setting u+s does not make files created in
that directory owned by owner of the directory. Only the group if g+s is set.

The man pages are not kept up to date
nowadays.
Reply
James R. Ferguson
Acclaimed Contributor

тАО10-20-2008 09:35 AM

тАО10-20-2008 09:35 AM

Re: suid on directory does not change ownership to that of owner of directory ??

Hi Sammy:

The directory's *group* owner is what will be conferred to the newly created file when the the directory has its 'setgid' bit set.

Regards!

...JRF...
Reply
Sammy_2
Super Advisor

тАО10-20-2008 11:35 AM

тАО10-20-2008 11:35 AM

Re: suid on directory does not change ownership to that of owner of directory ??

Thanks Jerry and JRF.
Then do you know of a way so I can redirect user's history file to a directory so he can not delete or edit it. Right now, the .sh_history file is owned by the user by default and so he can modify it.


.profile of user "dp" below
======
HISTFILE="$ARCHIVE_DIR/.sh_history_$LOGNAME_PID_$$" ; export HISTFILE



output in $ARCHIVE_DIR

Right now, the dp user can edit this file and delete the commands he entered.

-rw------- 1 dp escript 174 Oct 20 14:33 .sh_history_DP_PID_8243


Thanks
good judgement comes from experience and experience comes from bad judgement.
0 Kudos
Reply
Patrick Wallek
Honored Contributor

тАО10-20-2008 11:44 AM

тАО10-20-2008 11:44 AM

Re: suid on directory does not change ownership to that of owner of directory ??

If the user can't edit the history file, how is he/she supposed to use the history functionality?
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

тАО10-20-2008 11:48 AM

тАО10-20-2008 11:48 AM

Re: suid on directory does not change ownership to that of owner of directory ??

Hi (again) Sammy:

> Then do you know of a way so I can redirect user's history file to a directory so he can not delete or edit it. Right now, the .sh_history file is owned by the user by default and so he can modify it.

You're asking for your cake and to eat it too.

The shell needs to have write-access to the directory in which you tell it to create a history file. Directory write-access infers the ability to delete a file. File write-ability means that all or some the data within can be munged.

Regards!

...JRF...
0 Kudos
Reply
Sammy_2
Super Advisor

тАО10-20-2008 12:37 PM

тАО10-20-2008 12:37 PM

Re: suid on directory does not change ownership to that of owner of directory ??

Thanks to all who replied.

The goal was to monitor user activities (once they sudo to application acct) so if they rm a file, we (sys admins and mgrs) can look in the history log who did what. Mgmt wanted to prevent users from cleaning their own .sh_history file after some nefarious activity.

But seems like we can't do it so may have to suggest powerbroker tool (which costs money).

Thanks
good judgement comes from experience and experience comes from bad judgement.
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО10-20-2008 11:46 PM

тАО10-20-2008 11:46 PM

Re: suid on directory does not change ownership to that of owner of directory ??

>JRF: The shell needs to have write-access to the directory in which you tell it to create a history file.

No it doesn't if you manually create an empty file there. But this doesn't really help.

>File write-ability means that all or some the data within can be munged.

Unfortunately this is what will allow the data to be munged.
What Sammy needs is a file with append only access, a pipe. Unfortunately that won't work as a history file.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.